CT1

The health sector has long lagged other sectors in replacing paper recordkeeping with more efficient electronic information technology. Although health care reformers justifiably bemoan the long delays in modernizing health care, there is a large and growing store of digital health data. It includes electronic claims, e-prescribing and pharmacy dispensing scripts, images, labs, and information captured by clinicians in electronic health records (EHRs). Paralleling the slow expansion of digital health data used by providers and businesses, the last few years have also seen increased interest in PHRs as tools for consumers to better manage their health and health care.

Both trends are potentially beneficial. Both can help get the right information to the right people in a timely way. One way to look at the two trends is as separate categories of health data streams. We'll call them "business data streams" and "consumer data streams."

In both areas, but particularly in consumer data streams, no dominant suppliers have emerged. The role of federal or state oversight remains uncertain and contentious. Many social and political discussions are developing that reflect significant concerns about inappropriate uses of electronic personal health information, including the perceived risk to employment, insurance coverage, reputation, identity, or exposure to unauthorized marketing or solicitations. For these reasons, now is the critical time to examine the emerging digital data flows.

In the Digital Age, 'Copies' Are What Matter

In an electronic environment, information can be rapidly copied and shared. A piece of data captured in one place may be forwarded to another, then another, and so on. Each time, the "sender" does not erase the data after passing it on. A copy is typically stored at each place. And each party that touches the data may add or modify information according to its business needs.

Because of this frequent copying and modifying, it is not useful or practical to discuss "ownership" of data in health care, in the sense that an owner of a paper file can allow use of the file without providing a copy. In the digital world, use of data proliferates copies as a side effect. And those copies, once made, must be retained by some recipients (e.g., medical professionals), by law. It is also not useful to apply old paradigms to protecting data such as locked file cabinets or creating lock boxes of electronic data. It is, however, critical to talk about proper custodianship of electronic personal health information copies – and under what authorizations and circumstances those copies may be shared.

The liquidity of health data copies creates both benefits (e.g., rapid retrieval, data analytics) and risks (e.g., personal privacy, errors).

Business Data Streams in Health Care

Throughout life, the typical consumer's health data is scattered among many health care providers, payers, clearinghouses, and other services (some of which are largely unknown to the public). Digital information flows through the health sector based on business requirements, typically with a complex series of handoffs stemming from business relationships. For example, Appendix A follows the data trail of a single drug prescription, the most common clinical transaction. Just to put the pills in the bottle, under the "simple" scenario, there are 10 different electronic copies of the information stored in various databases. The following are general observations about business data streams:

• There are multiple copies captured, cached, and/or warehoused at multiple locations. Electronically networked information can rarely be deleted without a trace.
• Businesses play various roles in the data stream. The personal health data copies create business value at various points. Just a few examples of copies creating value in aggregate or personal form (See "Complex Case," in Appendix A.):
  • Data aggregation companies sell de-identified prescription data to pharmaceutical companies, which use it in their sales representative meetings with physicians.
  • Large claims clearinghouses sell data analytics services to payers or employers.
  • Copies also are sent to preferred provider organizations for pricing, disease management companies for direct intervention, specialized services to detect fraud, etc.
• Different business entities participate at each handoff, with different business objectives and motivations. They may maintain different relationships with consumers, providers, payers, employers, etc. They each may have different internal policies and practices. And each may handle different subsets of the data, as information is continually filtered, scrubbed, augmented, etc., along the way.
• There are many potential points of vulnerability and exposure – in various repositories, archiving/backup, and hacking.
• The consumer has limited exposure to most business data streams. The typical consumer has no convenient way to know how her data will be stored or merged with other files, or re-identified. In short, it's very difficult for an individual to learn or understand very much about existing and emerging business health data streams.

Consumer Data Streams

We distinguish consumer data streams as the flow of personal health information into and out of consumer-accessible applications such as PHRs. There are increasing opportunities for consumers to participate in consumer data streams. Consumers are increasing their own contributions to new data streams by uploading health-related content about themselves to various Internet services. We are witnessing a proliferation of data streams through new services offering consumers the ability to obtain copies of information captured about them at various points along the business data stream. Large integrated delivery networks, employer groups, and payers have all launched plans to supply individuals with PHRs that can be pre-populated with personal health information from various sources.

There are several barriers, however, to such initiatives becoming interconnected on an open network. The current evolution of PHRs and Consumer Access Services reflects the fragmented health care sector. The current direction is that many of the more sophisticated PHR products will be based on specific business relationships with specific populations of consumers (e.g., integrated delivery networks, health plans, and employers offering PHRs to their respective members/employees). Many Health Data Sources are likely to favor their own PHRs, if they exist, over applications offered by third parties. New Consumer Access Services face a difficult task of negotiating contracts with the many Health Data Sources, each with its own business considerations and legal hurdles, in order to gain access to consumers' personal health data.

Secondly, data captured at any one point is often not valuable to consumers. It often needs to be combined with information from other sources and then given proper interpretation to be useful. Consumers will likely need new services to collect and add value to copies of their health data. (See Consumers as Network Participants.)

A further privacy consideration is that the new consumer data streams will produce new generations of data copies and stores. There will be ever more opportunities for organizations to capture, combine, and share health information about individuals. These new data sets include things like:

• IP addresses, cookies, and web beacons and similar technologies.
• Search keywords (which can be revealing about an individual's health concerns and often can be tied back to the individual).
• Information contributed by consumers (e.g., PHR data entries, patient diaries, consumer ratings services, online community posts).
• Information collected from health monitoring devices (e.g., blood pressure, blood glucose, etc.).
• Information collected by consumers (e.g., scanned documents and images, etc.).
• Genetic information.

(See Appendix A of CT4: Limitations on Identifying Information for a discussion of how "partially identifying data" can be combined with other information to establish identity.)

The emergence of consumer data streams poses a challenge to traditional health care institutions. Technology companies with powerful global brands operate within a vastly different business culture from health care organizations. They have different relationships with consumers, and separate legal and regulatory frameworks. Increased technology innovation and consumer participation will challenge traditional health care organizations as they seek the attention of the 21st Century patient/consumer, who is increasingly accustomed to Internet-based services in other sectors, such as finance or travel. Faced with increasing out-of-pocket health costs, as well as personal and societal needs for better health self-management, today's consumers need better tools as well as assurances that their information will be handled according to fair information practices.

Appendix A: Data Flow Scenarios

The following scenarios are designed to illustrate electronic data streams for the most common transaction in health care: a drug prescription. The first scenario describes a common and simplified set of transactions stemming from a small clinical practice. The second scenario adds sophistication and complexity, depicting transactions that are less common today (although they may become more common in the emerging electronic environment). The additional transactions increase potential value for many stakeholders, including the consumer, but also heighten the risk to privacy and security due to multiple round trips across data sources and copies being held by an increasing array of parties.

Note: The numeric sequence of "copies" below is designed to help the reader understand the parties that create and receive information related to a prescription transaction. A real-world chronology would be different than the sequence reflected here, as some transactions are batched with longer lag times than others.

Scenario 1 (SIMPLE)

Radhika Parekjhi, MD, works for a small practice that does not have an electronic health record (EHR) or e-prescribing application. The practice does, however, utilize practice management software for electronic claims submittal. Steve Jones, a pharmacist with ACME Pharmacy Chain, performs his work using a pharmacy information system that includes e-prescribing functionality.

• In follow-up to receiving abnormal blood test results at a health fair, Millie Robin makes an appointment to see Dr. Radhika Parekjhi.
• At the appointment, Dr. Parekjhi reviews Millie's current health status and health history (including her abnormal lab results), performs an exam, and orders additional tests. Based on this information, Dr. Parekjhi diagnoses a medical condition and decides to prescribe a new medication. (Millie's doctor's office stores this information, copy I-1, in the paper chart for Millie at the practice. The "I" designates a copy that includes "identifiable" data.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Millie (patient)	Demographic/ Contact Insurance Employment Provider seen/referred Biometric data (e.g., blood pressure) Diagnoses/ Problem list Procedures Medications Allergies Immunizations Hospitalization history Laboratory results Other health history (e.g., family history of heart disease) Lifestyle history (e.g., smoker) Social history (e.g., married)	Information provided by Millie in the context of her appt. w/ Dr. Parekjhi	Millie ⇒ Patient Registration (Paper chart) Millie ⇒ Dr. Parekjhi and staff (Paper chart)	I-1 (paper)	Visit history Doctor progress notes Other information specific to care received at this practice

• After reviewing Millie's current medications, problem list, and medication allergies, Dr. Parekjhi finds no contraindications or interactions and decides to prescribe medication "X" to treat Millie's newly diagnosed medical condition.
• Dr. Parekjhi writes a paper prescription for medication "X" and hands it to Millie.
• Dr. Parekjhi completes documentation for Millie's encounter, and the following day a coder employed by the practice electronically submits a claim to Millie's Health Plan (Payer) for payment. This information includes Millie's diagnosis, procedural and other personal health information.¹ 

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Doctor office paper chart	Demographic/ Contact Insurance Health claim type (e.g., Workman's Comp) Prescriber ID (e.g., DEA#) Employment Diagnoses Procedures (including the CPT code that contains the prescribed medication)	Health claim submitted to Payer	Doctor's office ⇒ Claims Clearninghouse	I-2	Other claims submitted to same Clearinghouse

• A Claims Clearinghouse entity receives the claim, processes it, and sends it to Millie's Payer in the Payer's required format. (Clearinghouse stores copy I-2.)
• The Clearinghouse sells aggregated de-identified data to research companies as part of its revenue model. (A Health Care Market Research Company stores de-identified copy DI-1. "DI" stands for data that has been "de-identified".)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Clearinghouse	De-identified data	Generate revenue	Claims Clearninghouse ⇒ Health Care Market Research Company	DI-1	n/a

• Millie's Payer receives the claim from the Clearinghouse and adjudicates the claim. (Payer stores copy I-3.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Clearinghouse	Demographic/ Contact Insurance Health claim type (e.g., Workman's Comp) Prescriber ID (e.g., DEA#) Employment Diagnoses Procedures	Claim processing completed; ready for adjudication	Claims Clearinghouse ⇒ Payer	I-3	Other claims for Millie submitted to this same Payer

• Millie's Payer sends a de-identified copy of Millie's data to a third-party organization for data analysis. This third-party stores copy DI-2.

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Payer	De-identified data	Analysis on quality and effectiveness	Payer ⇒ Data Analytics Company	DI-2	n/a

• Millie arrives at her Pharmacy and hands the paper prescription to a pharmacist assistant. As required by protocol, the assistant confirms Millie's information and collects additional information required to process/fulfill the prescription. (Millie's Pharmacy stores the information in its system, copy I-4.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Millie's prescription	Demographic/ Contact Insurance Prescriber ID Medication prescribed (medication "x")	Millie presents in-person to fill her new prescription	Millie's paper prescription ⇒ Millie's Pharmacy	I-4	Other prescriptions filled at this Pharmacy (and chain if applicable)

• The pharmacist assistant who receives Millie's prescription makes a "Formulary and Benefits and Drug Utilization Review" request via the Pharmacy's information system to Millie's Pharmacy Benefits Manager (PBM) via a pharmacy claims processing network or via a direct connection between the Pharmacy and the PBM. (Millie's PBM stores copy I-5.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Pharmacy	Demographic/ Contact Medication prescribed (medication "x")	Formulary and Benefit and Drug Utilization Review (REQUEST)	Pharmacy ⇒ Millie's PBM (via claims processing network)	I-5	Claims-based Rx history data, specific to the PBM

• Millie's PBM sends the requesting Pharmacy a response message which includes a confirmation of Millie's medication benefits eligibility (i.e., whether the PBM accepts or rejects the claim), Millie's co-pay for medication "X," and a message indicating that no medication interactions were found based on Millie's medication history (as known by this PBM). Millie's Pharmacy stores copy I-6.

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Millie's PBM	Demographic/ Contact Insurance Interaction alert(s)	Formulary and Benefit and Drug Utilization Review (RESPONSE)	Millie's PBM (via claims processing network) ⇒ Pharmacy	I-6	Other prescriptions filled at this Pharmacy (and chain if applicable)

• Pharmacist Steve Jones fills the prescription and Millie pays the co-pay.
  • Because the Pharmacy is part of a larger chain, a copy of Millie's prescription transaction is sent to the Pharmacy's Central Data Warehouse. (The Pharmacy's central data warehouse stores copy I-7.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Pharmacy	Demographic/ Contact Insurance Prescriber ID (e.g., NPI) Medication(s) prescribed and/or dispensed	Transfer of information to Pharmacy's data warehouse	Pharmacy ⇒ Pharmacy's Central Data Warehouse	I-7	Other prescriptions previously filled by this Pharmacy chain

• The Pharmacy submits a claim to Millie's PBM for payment. (Millie's PBM stores copy I-8.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Pharmacy	Demographic/ Contact Insurance Prescriber ID (e.g., NPI) Medication(s) prescribed and/or dispensed Claim information	Pharmacy requests payment for Millie's medication	Pharmacy ⇒ Millie's PBM	I-8	Other claims for Millie submitted to this PBM for adjudication

• Millie's PBM adjudicates the claim and sends it to Millie's Payer for payment. (Millie's Payer stores copy I-9.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Pharmacy	Demographic/ Contact Adjudicated claim	Payment of medication claim	Millie's PBM ⇒ Millie's Payer	I-9	Other claims for Millie submitted to this Payer

• Millie's Payer sends Millie's adjudicated claims data ready for payment to a Third Party Administrator (TPA) that pays each claim (the doctor's visit and Pharmacy claim) and sends Millie an Explanation of Benefits (EOB) detailing financial components of her visit with Dr. Parekjhi, including the amount billed, amount eligible for payment, insurance benefit paid or applied to deductible, and Millie's expected remaining balance due. (The TPA stores copy I-10.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Payer	Demographic/ Contact Millie's adjudicated claims data	To enable the TPA to pay Millie's claim and send Millie an EOB	Health Plan (Payer) ⇒ Third Party Administrator ⇒ Millie	I-10	Other adjudicated data about Millie received by this TPA

• Millie's PBM may be allowed to de-identify the transaction and send this de-identified data to a Pharmaceutical Manufacturer and/or sell it to a Pharmaceutical Market Intelligence Company. (The Pharmaceutical Manufacturer and Pharmaceutical Market Research Company each store a copy of Millie's de-identified data, copies DI-3.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
PBM	De-identified data	Generate revenue or fulfill contractual obligations	PBM ⇒ Pharmaceutical Market Research Company	DI-3	n/a

Scenario 2 (COMPLEX)

Jennifer Smith, MD, works for a hospital medical group that uses practice management software and an electronic health record (EHR) that includes e-prescribing and electronic claims submittal functionality; Steve Jones, a pharmacist with ACME Pharmacy Chain, performs his work using a pharmacy information system that includes e-prescribing functionality.

• In follow-up to receiving abnormal blood test results at a health fair, Millie Robin makes an appointment to see Dr. Smith.
• At the appointment, Dr. Smith reviews Millie's current health status and health history (including her abnormal test results), performs an exam, and orders additional tests. Based on this information, Dr. Smith diagnoses a medical condition and decides to prescribe a new medication. (The Hospital's EHR stores a copy of this information, copy I-1. The "I" designates "identifiable" data).

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Millie (patient)	Demographic/ Contact Insurance Employment Provider seen/referred Biometric data (e.g., blood pressure) Diagnoses/ Problem list Procedures Medications Allergies Immunizations Hospitalization history Laboratory results Other health history (e.g., family history of heart disease) Lifestyle history (e.g., smoker) Social history (e.g., married)	Millie's appt. w/ Dr. Smith	Millie ⇒ Patient Registration/ Scheduling (Hospital PMS/EHR) Millie ⇒ Dr. Smith and staff (Hospital EHR)	I-1	Doctor progress notes Visit history Other information specific to care received at Hospital

• Before proceeding, Dr. Smith uses her e-prescribing tool to make an Rx History Request.²  This request is for the past 120 days of Millie's retail prescription history and includes Millie's Name, DOB, and Gender. This information is submitted electronically and routed through SureScripts' Pharmacy Health Information Exchange (PHIE). (SureScripts and Hospital's EHR store copies I-2 and I-3, respectively.) (Note that alternatively, Dr. Smith's e-prescribing tool may allow her to request a Claims Medication History from Millie's PBM to receive prescription history from all pharmacies, including mail-order, for which Millie used her medication benefits. However, the specifics of this alternative scenario are not covered here.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Hospital EHR	Demographic/ Contact Prescriber ID (e.g., NPI)	Retrieve last 120 days of Rx history (REQUEST)	Hospital EHR ⇒ SureScripts ⇒ Pharmacy networks ⇒ SureScripts	I-2	Retail-based Rx history data older than 120 days
SureScripts	Demographic/ Contact Medication history	Retrieve last 120 days of Rx history (RESPONSE)	SureScripts ⇒ Hospital EHR	I-3	n/a

• After reviewing/confirming Millie's updated retail medication history, problem list, and medication allergies and finding no potential contraindications or interactions, Dr. Smith informs Mille that she would like to prescribe medication "X" to treat her medical condition.
• Because Millie expresses concern about the possibility of high out-of-pocket costs, Dr. Smith uses her e-prescribing tool to make a Formulary and Benefits Information³  request to determine whether medication "X" is on Millie's pharmacy benefits formulary. (Note that more commonly in offices with e-prescribing and scheduling software, this type of transaction is handled automatically via an interface between the two systems.)
• Millie's First/Last Name, DOB, Gender, Zip Code, and medication "X" are electronically transmitted to RxHub (a "switch of switches" for major pharmacy benefit managers, or PBMs) to uniquely identify Millie in RxHub's Master Patient Index prior to RxHub routing the request to Millie's current Pharmacy Benefits Payer/PBM. (RxHub does not store a copy of data received/sent.) Millie's PBM receives the request (and stores copy I-4), and routes a response back through RxHub to Dr. Smith's EHR via the e-prescribing application. The response message indicates that Millie is eligible for prescription drug coverage and that the medication is on formulary but requires "prior-authorization."

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Hospital EHR	Demographic/ Contact Medication prescribed (medication "x")	Benefits Eligibility and Formulary Request (REQUEST)	Hospital EHR ⇒ Millie's PBM	I-4	Claims-based Rx history data, specific to the PBM
Millie's PBM	Demographic/ Contact Insurance Prior-authorization status	Benefits Eligibility and Formulary Request (RESPONSE)	Millie's PBM ⇒ Hospital EHR	Not stored

• Millie is satisfied with the formulary information (and expected out-of-pocket costs), and asks Dr. Smith to have the prescription sent to her local Pharmacy.
• Because Millie's medication requires prior-authorization (a medical necessity review of clinical data submitted by the prescribing physician and available prescription drug history against pre-established clinical criteria), Dr. Smith must fill out additional diagnosis and medication history for Millie and fax a completed prior-authorization request to Millie's PBM with an expected one-business day turnaround time to receive request approval.⁴  (Millie's PBM stores copy I-5.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Hospital EMR	Demographic/ Contact Insurance Prescriber ID (e.g., NPI) Diagnoses/ Problem list Medication(s) prescribed	Prior-Authorization for medication is required	Hospital ⇒ Millie's PBM	I-5 (paper fax)	Claims-based Rx history data, specific to the PBM Additional health data, see I-13

• Confident that Millie's PBM will approve the new medication, Dr. Smith uses the e-prescribing application's pharmacy directory to find Millie's Pharmacy and send the prescription electronically. This request/response is sent via SureScripts' PHIE.⁵  (SureScripts stores copy I-6.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Hospital EHR	Demographic/ Contact Pharmacy # Prescriber ID (e.g., NPI) Medication(s) prescribed	e-Prescription, step 1 of 2	Hospital EMR ⇒ SureScripts	I-6	Retail-based Rx history data

• Dr. Smith completes documentation for Millie's encounter, and a claim is sent to Millie's plan sponsor (Payer) for payment. This information includes diagnosis, procedural, and other personal health information⁶  about Millie.
  • A Claims Clearinghouse receives the claim, processes it, and sends it along to Millie's Payer in the required format. (Clearinghouse stores copy I-7.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Hospital EMR	Demographic/ Contact Insurance Health claim type (e.g., Workman's Comp) Prescriber ID (e.g., DEA#) Employment Social history (e.g., married) Diagnoses Procedures	Health insurance claim submitted to Payer	Hospital EMR ⇒ Claims Clearinghouse	I-7	Other claims submitted to same Clearinghouse

• The Clearinghouse sells aggregated de-identified data to health care market research companies for profit. (Health Care Market Research Company stores de-identified copy DI-1. "DI" indicates "de-identified" information.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Clearinghouse	De-identified data	Generate revenue	Claims Clearinghouse ⇒ Health Care Market Research Company	DI-1	n/a

• If the Hospital that employs Dr. Smith has rights to Millie's Rx data, the Hospital may de-identify it and sell it to a health care market intelligence company. (The Health Care Market Research Company stores de-identified copy DI-2.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Hospital EHR	De-identified data	Generate revenue	Hospital ⇒ Health Care Market Research Company	DI-2	n/a

• The Payer receives the claim from the Clearinghouse, adjudicates it, and pays the Hospital. (Payer stores copy I-8.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Clearinghouse	Demographic/ Contact Insurance Health claim type (e.g., Workman's Comp) Prescriber ID (e.g., DEA#) Employment Social history (e.g., married) Diagnoses Procedures	Clearinghouse requests reimbursement from Payer	Claims Clearinghouse ⇒ Payer	I-8	Other claims for Millie while she has received health insurance from this Payer

• Millie's Payer sends de-identified data about Millie to a third-party organization for data analysis. (Data Analytics Company stores copy DI-3.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Payer	De-identified data	Analysis on quality and effectiveness	Payer ⇒ Data Analytics Company	DI-3	n/a

• Millie's Pharmacy's information system receives the prescription request via SureScripts.⁷  (Millie's Pharmacy stores copy I-9.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
SureScripts	Demographic/ Contact Prescriber ID Medication(s) prescribed	e-Prescription, step 2 of 2	SureScripts ⇒ Millie's Pharmacy	I-9	Other prescriptions filled at this Pharmacy (and chain if applicable), and any MTM program data

• Following protocol, the pharmacist assistant who receives Millie's prescription makes a "Formulary and Benefit and Drug Utilization Review" request via a pharmacy claims processing network or via a direct connection between the Pharmacy and the PBM. (Millie's PBM stores copy I-10.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Pharmacy	Demographic/ Contact Medication(s) prescribed	Formulary and Benefit and Drug Utilization Review (REQUEST)	Pharmacy ⇒ Millie's PBM (via a claims processing network)	I-10	Claims-based Rx history data, specific to the PBM

• Millie's PBM sends the Pharmacy a confirmation of Millie's medication benefits eligibility (i.e., whether the PBM accepts or rejects the claim) along with Millie's co-pay, a notice that prior-authorization has been granted, and a message indicating that no medication interactions were found based on Millie's medication history (as known by her current PBM). Millie's Pharmacy stores copy I-11.

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Millie's PBM	Demographic/ Contact Insurance Interaction alert(s) Prior-authorization status	Formulary and Benefit and Drug Utilization Review (RESPONSE)	Millie's PBM (a claims processing network) ⇒ Pharmacy	I-11	Other prescriptions filled at this Pharmacy (and chain if applicable), and any MTM program data

• Pharmacist Jones fills the prescription and Millie arrives to pick it up/pay for it.
  • Because the Pharmacy is part of a larger chain, a copy of Millie's prescription transaction is sent to the Pharmacy's Central Data Warehouse. (Millie's Pharmacy's Central Data Warehouse stores copy I-12.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Pharmacy	Demographic/ Contact Insurance Prescriber ID (e.g., NPI) Medication(s) prescribed and/or dispensed	Transfer of information to Pharmacy's data warehouse	Pharmacy ⇒ Pharmacy's Central Data Warehouse	I-12	Other prescriptions previously filled by this Pharmacy chain

• If the prescribed medication is a schedule II controlled substance, the Pharmacy is typically required to send the state a copy of Millie's Rx data to be fed into a government system aimed at identifying and curbing prescription drug abuse. (State/Fed Rx Data Warehouse stores copy I-13+.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Pharmacy	Demographic/ Contact Prescriber ID Medication(s) dispensed	Rx (controlled-substance) patient registry	Pharmacy ⇒ State/Fed Rx Data Warehouse	I-13+	Other Rx (controlled-substance only) information about Millie

• Via an e-Alert, the Pharmacy Information System informs Pharmacist Jones that Millie qualifies for a Medication Therapy Management (MTM) program offered by her PBM. As part of the Pharmacist-patient dialog, Pharmacist Jones informs Millie of her eligibility, receives her authorization to participate, and then collects additional PHI before educating her about medication use optimization/adherence and how to reduce the risk of adverse drug events through avoidance of certain drug and food interactions.
  • Pharmacist Jones submits an electronic claim to Millie's PBM for reimbursement for MTM services he provided.⁸  (Millie's PBM stores copy I-14.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Pharmacy	Demographic/ Contact Insurance Medication(s) dispensed MTM procedures (CPT)	Receive payment for MTM services provided to Millie	Pharmacy ⇒ Millie's PBM	I-14	Claims-based Rx history data, specific to the PBM

• The Pharmacy submits a claim to Millie's PBM for payment. (Millie's PBM stores copy I-15.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Pharmacy	Demographic/ Contact Insurance Prescriber ID (e.g., NPI) Medication(s) prescribed and/or dispensed MTM procedures (CPT)	Pharmacy requests payment for Millie's medication and for MTM services provided to Millie	Pharmacy ⇒ Millie's PBM	I-15	Other claims for Millie submitted to this PBM for adjudication

• Millie's PBM may be allowed to de-identify the transaction and send de-identified data to the Pharmaceutical Manufacturer and/or sell it to a Pharmaceutical Market Intelligence Company. (The Pharmaceutical Manufacturer and Pharmaceutical Market Research Company each store copies of de-identified data, copies DI-4; "DI" designates "de-identified" data.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
PBM	De-identified data	Generate revenue	PBM ⇒ Pharmaceutical Market Research Company	DI-4	n/a

• Millie's PBM adjudicates the claim and sends it to Millie's Payer for payment. (Millie's Payer stores copy I-16.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Pharmacy	Demographic/ Contact Adjudicated claim(s)	Payment of medication claim and MTM claim	Millie's PBM ⇒ Millie's Payer	I-16	Other claims for Millie submitted to this Payer

• Millie's Payer sends Millie's adjudicated claims data ready for payment to a Third Party Administrator that pays the claims and sends Millie an Explanation of Benefits (EOB) detailing financial components of her visit with Dr. Smith including the amount billed, amount eligible for payment, insurance benefit paid or applied to deductible, and Millie's expected remaining balance due. (The TPA stores copy I-17.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Payer	Demographic/ Contact Millie's adjudicated claims data	To enable the TPA to pay Millie's claim and send Millie an EOB	Payer ⇒ Third Party Administrator ⇒ Millie	I-17	Other adjudicated data about Millie

• Authorized as part of Millie's medical insurance plan, Millie's Payer sends a copy of Millie's prescription transaction along with other of Millie's PHI to a third-party Condition Management Company for program eligibility analysis and/or determination of appropriate care management protocol(s). (Disease Management Company stores copy I-18.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
Payer	Demographic/ contact Insurance Health claim type (e.g., Workman's Comp) Prescriber ID (e.g., NPI) Employment Diagnoses Procedures Medication(s) prescribed	Determine Millie's eligibility for disease management program eligibility	Payer ⇒ Third-party Disease Management Company	I-18	Data collected about Millie for past eligibility determination and/or additional personal data collected as part of another enrolled program

• Millie registers/signs-up for a PHR application provided by her employer.
  • Millie authorizes her claims-based medication history data to be imported into her PHR. (Millie's PHR Company stores copy I-19.)

Source of Data	Personal Data Transferred	Transfer Reason	Transaction Detail (Source ⇒ Recipient)	Recipient Copy #	What Other Personal Data May the Recipient Have?
PBM	Demographic/ Contact Prescriber ID (e.g., NPI) Medication(s) dispensed (claims data only)	Auto-populate Millie's plan-sponsored PHR	PBM ⇒ Third-party PHR Company	I-19	Self-reported data entered by Millie

• Now Millie has her own electronic copy of the information, which she can forward to anyone of her choosing.

__________

1. Example of a payer claim form: (https://www.lifewisewa.com/lwwa/groups/public/documents/xcpproject/002636.doc).
2. Personal data transferred based on the SureScripts Rx History service: (http://www.ncvhs.hhs.gov/040330p2.pdf).
3. Personal data transferred based on RxHub's PRN service: (http://www.rxhub.net/images/pdf/solutions/rxhub_prn.pdf).
4. Example of a PBM Prior-Authorization form for Provigil: (https://www.caremark.com/portal/asset/Provigil.pdf).
5. Personal data transferred based on the SureScripts e-Prescribing service: (http://www.ncvhs.hhs.gov/040330p2.pdf).
6. Example of a payer claim form: (https://www.lifewisewa.com/lwwa/groups/public/documents/xcpproject/002636.doc).
7. Personal data transferred based on the SureScripts e-Prescribing Service: (http://www.ncvhs.hhs.gov/040330p2.pdf).
8. Example of MTM claim form: (https://www.bcbsal.org/providers/forms/pharmacyClaimForm.pdf).

---